From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Mon, 16 Mar 2020 18:49:52 +0000 (-0400)
Subject: bcachefs: Fix a use after free in dio write path
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=286d8ad040ddb9a496ac4a8551d72b827e604243;p=linux.git

bcachefs: Fix a use after free in dio write path

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/fs-io.c b/fs/bcachefs/fs-io.c
index 4a20bb11151cb..726c55072b7bb 100644
--- a/fs/bcachefs/fs-io.c
+++ b/fs/bcachefs/fs-io.c
@@ -1787,7 +1787,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 	struct bio_vec *bv;
 	unsigned unaligned;
 	u64 new_i_size;
-	bool sync;
+	bool sync = dio->sync;
 	long ret;
 
 	if (dio->loop)
@@ -1830,7 +1830,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 
 		if (!dio->sync && !dio->loop && dio->iter.count) {
 			if (bch2_dio_write_copy_iov(dio)) {
-				dio->sync = true;
+				dio->sync = sync = true;
 				goto do_io;
 			}
 		}
@@ -1838,7 +1838,7 @@ do_io:
 		dio->loop = true;
 		closure_call(&dio->op.cl, bch2_write, NULL, NULL);
 
-		if (dio->sync)
+		if (sync)
 			wait_for_completion(&dio->done);
 		else
 			return -EIOCBQUEUED;
@@ -1872,7 +1872,6 @@ err:
 	if (dio->free_iov)
 		kfree(dio->iter.__iov);
 
-	sync = dio->sync;
 	bio_put(bio);
 
 	/* inode->i_dio_count is our ref on inode and thus bch_fs */